Trust Assessment
mcp-microsoft365 received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill requires excessive tenant-wide Microsoft Graph application permissions The `SKILL.md` setup instructions recommend granting broad Microsoft Graph application permissions such as `Files.Read.All`, `Files.ReadWrite.All`, `Chat.Read.All`, `User.Read.All`, `Mail.Read`, `Mail.Send`, `Mail.ReadWrite`, `Calendars.Read`, `Calendars.ReadWrite`, `Tasks.Read.All`, and `Tasks.ReadWrite.All`. These permissions grant the underlying application (and thus the skill) tenant-wide access to sensitive data across all users without requiring individual user consent. If an LLM using this skill is compromised via prompt injection, it could leverage these permissions to read, write, or exfiltrate a vast amount of sensitive organizational data (emails, files, chat messages, user profiles, calendar events, tasks) from any user in the tenant. The skill's tools are designed to operate on behalf of specified users, making this a direct and exploitable path for large-scale data exfiltration. 1. **Principle of Least Privilege:** Re-evaluate the minimum necessary permissions required for the skill's intended functionality. If the skill is meant for specific users or groups, consider using delegated permissions with user consent, or more granular application permissions if available (e.g., `Mail.ReadBasic.All` instead of `Mail.Read.All`). 2. **Scope Reduction:** If tenant-wide access is truly required for some features, consider splitting the skill into multiple skills with different permission sets, or implementing stricter internal access controls within the skill's logic to limit which users/data can be accessed based on the calling context. 3. **User Impersonation/Delegation:** For operations that require user context, prefer delegated permissions where the user explicitly consents, rather than application permissions that bypass individual user consent. 4. **Input Validation & Authorization:** Implement robust input validation and authorization checks within the skill's code to ensure that the LLM (or any caller) cannot arbitrarily specify `user` emails to access data they shouldn't have access to. This would require integrating with an identity system to verify the LLM's authorized scope. | LLM | SKILL.md:27 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/makhatib/mcp-microsoft365/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@modelcontextprotocol/sdk' is not pinned to an exact version ('^1.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/makhatib/mcp-microsoft365/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/makhatib/mcp-microsoft365/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/b90552f7f443651c)
Powered by SkillShield